# John ## Identifying Hashes * * * ## Online Hash Crackers * * ## Format-Specific Cracking Once you have identified the hash that you're dealing with, you can tell john to use it while cracking the provided hash using the following syntax: ``` john --format=[format] --wordlist=[path to wordlist] [path to file] ``` * This is the flag to tell John that you're giving it a hash of a specific format, and to use the following format to crack it * `--format=` ### Example Usage: ``` john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt hash_to_crack.txt ``` * A Note on Formats: * When you are telling john to use formats, if you're dealing with a standard hash type, e.g. md5 as in the example above, you have to prefix it withraw- to tell john you're just dealing with a standard hash type, though this doesn't always apply. * To check if you need to add the prefix or not, you can list all of John's formats using john --list=formats and either check manually, or grep for your hash type using something like ``` john --list=formats | grep -iF "md5". ``` ## Cracking Windows Hashes ### NTHash and NTLM * NThash is the hash format that modern Windows Operating System machines will store user and service passwords in. * It's also commonly referred to as "NTLM" which references the previous version of Windows format for hashing passwords known as "LM", thus "NT/LM". -You can acquire NTHash/NTLM hashes by dumping the SAM database on a Windows machine. * By using a tool like Mimikatz or from the Active Directory database: NTDS.dit. * You may not have to crack the hash to continue privilege escalation- as you can often conduct a "pass the hash" attack instead, but sometimes hash cracking is a viable option if there is a weak password policy. ## Cracking Hashes on Linux ### Unshadowing * John can be very particular about the formats it needs data in to be able to work with it, for this reason- in order to crack /etc/shadow passwords, you must combine it with the /etc/passwd file in order for John to understand the data it's being given. To do this, we use a tool built into the John suite of tools called unshadow. The basic syntax of unshadow is as follows: ``` unshadow [path to passwd] [path to shadow] ``` * `unshadow` - Invokes the unshadow tool * `[path to passwd]` - The file that contains the copy of the /etc/passwd file you've taken from the target machine * `[path to shadow]` - The file that contains the copy of the /etc/shadow file you've taken from the target machine ### Example Usage: ``` unshadow local_passwd local_shadow > unshadowed.txt ``` #### Note on the files * When using unshadow, you can either use the entire /etc/passwd and /etc/shadow file- if you have them available, or you can use the relevant line from each, for example: * FILE 1 - local\_passwd * Contains the /etc/passwd line for the root user: ``` root:x:0:0::/root:/bin/bash ``` * FILE 2 - local\_shadow * Contains the /etc/shadow line for the root user: ``` root:$6$2nwjN454g.dv4HN/$m9Z/r2xVfweYVkrr.v5Ft8Ws3/YYksfNwq96UL1FX0OJjY1L6l.DS3KEVsZ9rOVLB/ldTeEL/OIhJZ4GMFMGA0:18576:::::: ``` ### Cracking * We're then able to feed the output from unshadow, in our example use case called "unshadowed.txt" directly into John. * We should not need to specify a mode here as we have made the input specifically for John. * However in some cases you will need to specify the format as we have done previously using: `--format=sha512crypt`. ``` john --wordlist=/usr/share/wordlists/rockyou.txt --format=sha512crypt unshadowed.txt ``` ## Cracking Zip Password Protected File ### Zip2John * Similarly to the unshadow tool that we used previously, we're going to be using the zip2john tool to convert the zip file into a hash format that John is able to understand * The basic usage is like this: ``` zip2john [options] [zip file] > [output file] ``` * `[options]` - Allows you to pass specific checksum options to zip2john, this shouldn't often be necessary * `[zip file]` - The path to the zip file you wish to get the hash of * `>` - This is the output director, we're using this to send the output from this file to the... * `[output file]` - This is the file that will store the output from #### Example Usage ``` zip2john zipfile.zip > zip_hash.txt ``` #### Cracking * We're then able to take the file we output from zip2john in our example use case called "zip\_hash.txt" and, as we did with unshadow, feed it directly into John as we have made the input specifically for it. ``` john --wordlist=/usr/share/wordlists/rockyou.txt zip_hash.txt ``` ## Cracking a Password Protected RAR Archive ### Rar2John * Almost identical to the zip2john tool that we just used, we're going to use the rar2john tool to convert the rar file into a hash format that John is able to understand. * The basic syntax is as follows: ``` rar2john [rar file] > [output file] ``` * `rar2john` - Invokes the rar2john tool * `[rar file]` - The path to the rar file you wish to get the hash of * `>` - This is the output director, we're using this to send the output from this file to the... * `[output file]` - This is the file that will store the output from #### Example Usage ``` rar2john rarfile.rar > rar_hash.txt ``` #### Cracking * Once again, we're then able to take the file we output from rar2john in our example use case called "rar\_hash.txt" and, as we did with zip2john we can feed it directly into John.. ``` john --wordlist=/usr/share/wordlists/rockyou.txt rar_hash.txt ``` ## Cracking SSH Keys ### SSH2John * As the name suggests ssh2john converts the id\_rsa private key that you use to login to the SSH session into hash format that john can work with. * Note that if you don't have ssh2john installed, you can use ssh2john.py, which is located in the `/opt/john/ssh2john.py`. * If you're doing this, replace the ssh2john command with python3 /opt/ssh2john.py or on Kali, python /usr/share/john/ssh2john.py. ``` ssh2john [id_rsa private key file] > [output file] ``` * `ssh2john` - Invokes the ssh2john tool * `[id_rsa private key file]` - The path to the id\_rsa file you wish to get the hash of * `>` - This is the output director, we're using this to send the output from this file to the... * `[output file]` - This is the file that will store the output from #### Example Usage ``` ssh2john id_rsa > id_rsa_hash.txt ``` #### Cracking * For the final time, we're feeding the file we output from ssh2john, which in our example use case is called "id\_rsa\_hash.txt" and, as we did with rar2john we can use this seamlessly with John: ``` john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa_hash.txt ``` ## PGP Keys * Have a file `tryhackme.adc` (the PGP Private Key block) and `credential.pgp` (the encrypted file) * Use `gpg2john` output the PGP key to a hash format ``` gpg2john tryhackme.asc > hash ``` * Should look like this: ``` tryhackme:$gpg$*17*54*3072*713ee3f57cc950f8f89155679abe2476c62bbd286ded0e049f886d32d2b9eb06f482e9770c710abc2903f1ed70af6fcc22f5608760be*3*254*2*9*16*0c99d5dae8216f2155ba2abfcc71f818*65536*c8f277d2faf97480:::tryhackme ::tryhackme.asc ``` * Crack the hash ``` john --wordlist=/usr/share/wordlists/rockyou.txt hash john --format=gpg --wordlist=/usr/share/wordlists/rockyou.txt hash ``` * Should end up with the file contents ``` tryhackme:alexandru:::tryhackme ::tryhackme.asc ``` * Now need to use gpg to import the key back on the target box ``` gpg --import tryhackme.asc gpg --decrypt credential.pgp ``` ### GPG Errors ``` gpg: decryption failed: No secret key ``` * Errors populates despite it being the correct key -> Memory daemon needs restarting ``` ps aux | grep gpg-agent kill -14 pid# ``` ## Rule Based Attacks * Also known as hybrid attacks. * Assumes attacker knows something about the password policy. * John config file: ``` /etc/john/john.conf OR /opt/john/john.conf ``` * Look for `List.Rules` to see the available rules. * Example: ``` cat /etc/john/john.conf|grep "List.Rules:" | cut -d"." -f3 | cut -d":" -f2 | cut -d"]" -f1 | awk NF JumboSingle o1 o2 i1 i2 o1 i1 o2 i2 best64 d3ad0ne dive InsidePro T0XlC rockyou-30000 specific ``` * `best64` rule contains the best 64 built in `John` Rules. * To use: ``` echo "tryhackme" > single-password-list.txt john --wordlist=/tmp/single-password-list.txt --rules=best64 --stdout | wc -l Using default input encoding: UTF-8 Press 'q' or Ctrl-C to abort, almost any other key for status 76p 0:00:00:00 100.00% (2021-10-11 13:42) 1266p/s pordpo 76 ``` * \--wordlist= to specify the wordlist or dictionary file. * \--rules to specify which rule or rules to use. * \--stdout to print the output to the terminal. * |wc -l to count how many lines John produced. * By running the previous command we have expanded our password list from 1 (tryhackme) to 76. #### Another Good Rule to use: ``` john --wordlist=single-password-list.txt --rules=KoreLogic --stdout |grep "Tryh@ckm3" Using default input encoding: UTF-8 Press 'q' or Ctrl-C to abort, almost any other key for status Tryh@ckm3 7089833p 0:00:00:02 100.00% (2021-10-11 13:56) 3016Kp/s tryhackme999999 ``` ### Creating Custom Rules * we want to add special characters to the beginning and a number to the end, the format would be: ``` [symbols]word[0-9] ``` * We can add our rule to the end of john.conf: ``` user@machine$ sudo vi /etc/john/john.conf [List.Rules:THM-Password-Attacks] Az"[0-9]" ^[!@#$] ``` \[List.Rules:THM-Password-Attacks] specify the rule name THM-Password-Attacks. * `Az` represents a single word from the original wordlist/dictionary using `-p`. * `"[0-9]"` append a single digit (from 0 to 9) to the end of the word. For two digits, we can add `"[0-9][0-9]"` and so on. * `^[!@#$]` add a special character at the beginning of each word. `^` means the beginning of the line/word. Note, changing `^` to `$` will append the special characters to the end of the line/word. ### Note * All credit goes to the creator(s) of the John the Ripper Tool on THM. * [www.tryhackme.com/room/johntheripper0](http://www.tryhackme.com/room/johntheripper0) *** ## hashID for John Format ```bash hashid -j 193069ceb0461e1d40d216e32c79c704 ``` *** ## Single Crack Mode ```bash john --single passwd ``` *** ## Incremental Mode ```bash john --incremental ``` ### View Incremental Modes in Config ```bash grep '# Incremental modes' -A 100 /etc/john/john.conf ``` *** ## 2john Conversion Tools * Use `locate *2john*` to find all available converters | Tool | Use | | ----------------- | ----------------------- | | `ssh2john.py` | SSH private keys | | `office2john.py` | MS Office documents | | `pdf2john.py` | PDF files | | `zip2john` | ZIP archives | | `rar2john` | RAR archives | | `7z2john.pl` | 7z archives | | `bitlocker2john` | BitLocker volumes | | `keepass2john` | KeePass databases | | `putty2john` | PuTTY keys | | `pfx2john` | PFX/PKCS12 certificates | | `gpg2john` | GPG keys | | `wpa2john` | WPA handshakes | | `vncpcap2john` | VNC pcap files | | `mscash2john` | MS Cache hashes | | `DPAPImk2john.py` | DPAPI master keys | *** ## Cracking Office Documents ```bash office2john.py Protected.docx > protected-docx.hash john --wordlist=rockyou.txt protected-docx.hash john protected-docx.hash --show ``` *** ## Cracking PDFs ```bash pdf2john.py PDF.pdf > pdf.hash john --wordlist=rockyou.txt pdf.hash john pdf.hash --show ``` *** ## Cracking OpenSSL-Encrypted Archives ```bash file GZIP.gzip for i in $(cat rockyou.txt);do openssl enc -aes-256-cbc -d -in GZIP.gzip -k $i 2>/dev/null| tar xz;done ``` *** ## Hunting for Encrypted Files ```bash for ext in $(echo ".xls .xls* .xltx .od* .doc .doc* .pdf .pot .pot* .pp*");do echo -e "\nFile extension: " $ext; find / -name *$ext 2>/dev/null | grep -v "lib\|fonts\|share\|core" ;done ``` *** ## Hunting for SSH Keys ```bash grep -rnE '^\-{5}BEGIN [A-Z0-9]+ PRIVATE KEY\-{5}$' /* 2>/dev/null ``` *** ## Check if SSH Key is Encrypted ```bash ssh-keygen -yf ~/.ssh/id_ed25519 ssh-keygen -yf ~/.ssh/id_rsa ``` *** ## Mounting BitLocker in Linux ```bash sudo apt-get install dislocker sudo mkdir -p /media/bitlocker /media/bitlockermount sudo losetup -f -P Backup.vhd sudo dislocker /dev/loop0p2 -u1234qwer -- /media/bitlocker sudo mount -o loop /media/bitlocker/dislocker-file /media/bitlockermount ```